If you’re one of the 70 million members of the Playstation Network or Qriocity services, all of your personal and login information is compromised. Everything. That includes your name, address, e-mail address, birthday, user name and password. Your profile data, purchase history and password security answers may be compromised as well.

Sony says there’s no evidence that credit card information was taken, but it “cannot rule out the possibility.” Sony’s encouraging PSN users to keep a close watch on their credit card statements, and has provided information for users who want to set up fraud alerts. You can find those details at the official Playstation Blog.

As for when PSN will be back up, Sony says it has “a clear path” to bring systems back online, and hopes to restore “some services within a week.” However, Sony now has much bigger problems, having let a wealth of personal information, and possibly financial information, fall into the wrong hands.

All users will be getting a notification from Sony via e-mail, advising them to change their passwords for PSN (once it’s back online) and any other service for which the same password is used. Users are also warned to watch out for e-mail, postal and telephone scams. Understatement of the year goes to this sentence in Sony’s letter: “We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.”

44 Comments For This Post

Never buying another Sony product again. This angers me so much. Sony failed in the PS2 generation for online services and combining this atrocity with the implications they attempted to nail George Hotz for, have clearly rose above the rest and shown that they are no contendor for online services. I hope they go out of business in gaming. They have no place anymore. Why has it taken so long to issue such a statement, one that completely invalidates statements made by Sony reps on the uk.playstation blog saying there was no information compromised?

Pathetic. Utterly pathetic. I hope every product they ever make is pirated into the ground for such a terrible mistake and terrible demeanor in handling such a serious breach which could have disasterous consequences for it’s userbase. Hopefully signed homebrew and games become a possibility to lead to the demise of this hard arsed company’s ways.

If cc info didn’t get out is this really that big of a deal. Most of this info (aside from the pw) is available on most people on the net anyway. If you are using the same pw everywhere you get what you deserve.

My credit card details must have been compromised by psn, I had my bank call me on Monday 2 successful fraudulent online purchases and 1 for £1600 made on Sunday which my bank luckily checked with me before accepting.

Even if they encrypted your password, you can "decode" the encryption using rainbow tables if your password is not too complex. So whether or not it was encrypted is irrelevant if you use a simple password.

Encryption doesn’t work for addresses, names and phones BC the server has to be able to use them. Security qa sb hashed, or btr still use phone… For credit cards, billing needs to work like PayPal agreements – one authorization agreement and a shared secret at purchase time. But no credit card company supports that. So for recurring billing and credit, they have to store the whole number with reversible encryption and that is harder to defend – and is not taught properly. Stuff like Linq and nhibernate make iteasier to do the wrong way.

What do you expect when you mess with hackers? You sued the kids who cracked the PS3 and you angered the modding community, also that group.. I think it was 'an0nymous'? You really think you were safe doing that? It's pure payback – anyone can see.

Supernova failure but will happen again and again just because software idiots save the users' information without offering a cleanup or option to not store (for real).
While you keep putting the gold under glass pane, the thieves will try to break to get at it.

Stop this nonsense of saving credit cards data, pronto ! But I reckon there is the convenience side so you have to judge by yourself the trade-off.

The interesting thing is that 70+ million people have accounts on PSN… That's probably more than most banks. Sigh… I would like to think that the group responsible for ensuring the security of those 70+ million accounts is standing on their heads right now worried about 2 things– 1) the inexcusable breach that allowed apparently unrestricted access to the PSN database and 2) where they plan to spend the rest of their natural lives, considering a breach this large might be considered criminal negligence. Even if they were sentenced to a single hour of jail time for each account breached,that's still 7,991 years…

I'm glad you all have opinions, now let's just hope this gets back up soon and they can make it happen. In a world where others are concerned over their life about taking a bus to work, I think we can consider ourselves fools for making such a stink about something that is obviously a flaw in our society to be so reliant on technology to begin with. It's fun, so I'm just keeping my fingers crossed I can play some SF4 and watch my Hulu sooner rather than later.

It is important to remember that if a company elects to store consumer credit card information, they assume the burden of protecting that information–just as they would their own. When a company fails to do that, they then become responsible for the financial liability of EACH account compromised.

While Sony is publicly suggesting that it is not likely that credit card information was compromised, the fact that they are not ruling it out is VERY significant. It implies that they cannot say, beyond a shadow of a doubt, that the CC information remains uncompromised.

From an IT perspective, this would suggest that the security measures which should have been in place to isolate sensitive financial information from general user information were either NOT there, or were also compromised.

A breach of this nature is almost certainly systemic and quite likely extends even into their corporate databases–a fact which may never reach public ears.

Collecting sensitive personal and financial information is certainly NOT against the law–especially when it is freely provided by the owners of that information. The problem occurs when 1) the information is collected without the owner's direct knowledge and permission, and 2) when the company collecting said information does not disclose a) it's intended usage of the information and b) when said information has been compromised.

In this case, it seems as if Sony "did the right thing" by notifying the public of the breach and compromised data. In my not so humble opinion, the problem lies in the apparently lax security protocols that allowed the breach in the first place. A company like Sony, should have sufficient financial resources to implement top-notch, best-of-breed security practices and policies.

You make a good point, and I'm 100% certain that Sony will make every effort to do just that–send the guilty hackers to prison. However, as I stated earlier, when a company collects sensitive personal and financial data, it assumes the responsibility for ensuring the protection of that information. So, if a single individual, or even a group of individuals, can successfully, breach Sony's security–don't you think the company has some explaining to do?

Being an IT professional with over 20 years experience I feel that I can speak knowledgeably to this issue. Additionally, I have been married to an attorney for 15+ years and have discussed this matter ad nauseum with my wife.

Sony assumes no criminal liability in this breach. Sony has entered into contracts with the 70+ million subscribers and as such is limited to civil liabilities in this matter as set forth in said contracts. Consequently, Sony is only responsible for meeting the conditions of the contract as agreed to by each subscriber plus any negligence on thier part as a fudciary party in securing thier subscribers sensitive and financial information.

Now, as for the technical aspect of this incident. If Sony was negligent in the manner in which the information was stored there may be a case for breach of an implied, or possibly stated – I am not a subscriber and have not seen nor read the contract for service, fudciary responsibility in securing subscribers sensitive information.

Sony is a large and experienced company and is, OR SHOULD BE, aware of most if not all common hack and exploits that exist in todays network / software / hardware environments. Knowing this, they should have implemented all avilable resources and technologies in an effort to prevent exposure of subscribers sensitive information.

I agree completely, but getting services back online should be a priority. Once they have a new security system in place they can give exact details about what they had in place. Either Sony will be far in the wrong use outdated/useless security protocols, or the hackers have found something new or are very good at what they do, and Sony had security much like many others out there. Either way I'm sure heads will roll inside Sony, if I was head of security I'd be handing in my resignation even if it's the latter case above.

"Hacking a personal ps3 is in no way similar to hacking a multilayered, secured network. The legal and monetary ramifications are in different leagues all together. ~ Onlooker"

You're right it’s not. Hacking a PS3 is legal and still SONY put its full force behind pummeling the kid so as to send a message to all who would dare to think they own what they bought. While the hack of the PSN network is illegal and I have no doubt SONY will do its most to find the perp(s). The question is will they do equally as much to make right with the users??? Doubt it.

Like most corporations they will do as little as the law allows them to get away with and then less so long as the right peoples payoffs are up to date.

You make some interesting points, but I think your statement "Sony has committed NO CRIME!" may be a bit premature as it is far too early to determine if Sony has committed any crimes. That's not to imply guilt w/o due process–simply stating that it's too early in the game to call. However, your posts echoed my previous posts on several points, such as Sony's obligation to publicly disclose the breach, and the fact that a company of Sony's stature *SHOULD* have had top-notch data security measures in place. If Sony did not have adequate security measures, or if they were were not properly implemented, I think Sony might still have to consider criminal charges of some kind. Either way, the company has some explaining to do.

There's a very real possibility that anonymous did not do this. They've denied it, and that's not like a hacker group.
Additionally, this seems to open the door for the government to implement anti-privacy regulations to prohibit 'cyber terrorism' and 'protect' us on the Internet.

Sounds crazy maybe, but this is just the kind of bad PR the government needs to start pushing through regulations that limit our freedoms on the Internet.

PCashMan, Sony is actually criminally liable, for any person's information that was compromised who lives in Massachusetts. They passed a law last year…for any personally identifiable information that is compromised they are liable to a fine of $1Million per record. How many users do you think they have that live in Massachusetts? And personally identifiable information has been defined, in that law, as even the user's email address!

There are probably hundreds of thousands of users in Boston alone! Last I read, other states were considering similar legislation.

The company that lost the data does not have to be in Massachusetts, only the users whose data was lost.

The larger failure here that no one discusses is how is it possible that simply knowing a credit card number and expiry date gives anyone access to the money in the account . The credit card industry should be completely shame faced that the 'security' of their payment system relies on protecting numbers that can be either stolen or generated. The banking system should wake up and stop putting the onus on merchants for protecting their ridiculously insecure system.

Supernova failure but will happen again and again just because software idiots save the users' information without offering a cleanup or option to not store (for real).
While you keep putting the gold under glass pane, the thieves will try to break to get at it.

Stop this nonsense of saving credit cards data, pronto ! But I reckon there is the convenience side so you have to judge by yourself the trade-off. Tennis Elbow Treatment